5 myths that will thwart any security strategy

"We must accept the fact that no barrier is impenetrable, and detection/response represents an extremely critical line of defense. Lets stop treating it like a back-up plan if things go wrong." -2013 Verizon DBIR

The best defense derives from knowledge of the opponents offensive capabilities. Understanding the current threat landscape is vital to crafting a successful (business driven) security strategy.

Our security strategy must be devoid of these five myths to successfully support the business process of the organization.

1. The insider myth.

Our industry suffers from the configure and forget mentality. We buy the latest next generation widget, have the vendor set it, and blissfully continue operations in a state of ignorance. Why? Because we swallow the vendors claims hook, line, and sinker. The insider myth is an excellent example of the prevailing culture surrounding organizational security. Purchasing the latest and greatest equipment based upon bogus vendor claims.

Yes, your organization could suffer significantly in the event of an insider threat. However, the data presented by Richard Bejtlich does not indicate insiders are our greatest threat. The 2015 Verizon DBIR further corroborates Bejtlich's findings. External threat actors accounted for 80 percent of reported cases.

“Should [we] ignore the insider threat in favor of the outsider threat? On the contrary. The insider threat remains the greatest single source of risk to organizations. Insider attacks have far greater negative impact to business interests and operations. Many externally initiated attacks can best be described as ankle-biter attacks launched by script kiddies." -Richard Bejtlich

2. Our patch management is FREAKING awesome!

I hate to break the news to you, but this is simply not the case. Sure, there are exceptions to every rule but most organizations are losing when it comes to patching vulnerable systems. No, I am not trying to insult your competence, nor am I trying to imply you lack a certain skill set. The problem is we don't know what we don't know. Vendors issue patches for known vulnerabilities. Many vulnerabilities aren’t publicly disclosed for many months.

In 2010 and 2012 private groups had access to 58 vulnerabilities affecting Microsoft, Apple, Oracle, or Adobe. These groups could have comprised all vulnerable systems without public knowledge.

During the same period, vulnerabilities remained private for an average of 151 days.

On any given day of the year 85 privately known exploits are available.

Nation-states are no longer the sole customer in the "zero" day marketplace. Anyone with a credit card and access to the dark interwebs can purchase an exploit and target your company.

Now do you see why your patch management is not the best? It is a vital part of your strategy, but it cannot be the only piece.

3. Focus on preventing an attack.

Considering an attacker could use a “zero” day exploit (on any given day) and exploit your organization, prevention is a less desirable goal. In fact, according to SANS 511 course authors Seth Misenar and Eric Conrad prevention is an outdated (traditional) response. Modern cyber defense should focus on detecting post exploitation activity because it is often easier to detect. It is also where an attacker can cause the most damage.

One of the worst assumptions you can make. Scott Trade recently announced they were breached during late 2013 and early 2014. They were unaware of the compromise until notified by the FBI in August of 2015. Brian Krebs reports the Scott Trade breach affects 4.6 million customers and their contact information.

Data from Mandiant, Verizon, and Trustwave lead us to one conclusion. It's highly likely our organizations are breached, and we are in the dark. In 2015, Trustwave investigated 574 data compromises. 81 percent of the victims did not detect the compromise themselves. Mandiant (in 2013) reported attackers maintained access an average of 205 days before they were discovered. The 2015 Verizon Data Breach Investigations Report upholds an ongoing lack of ability to detect compromise in days or less. While 60 percent of attackers compromise a system in minutes or less defenders, often take days or months to discover an attack.

5. We will know when we are compromised

The facts indicate someone will compromise our firms, and we will remain ignorant for a very long time. Most likely they will have more than six months to steal intellectual property, financial information, customer information, and anything else they can get their hands on. Dairy Queen adamantly defended themselves and swore they weren't breached. Furthermore, they insisted they would know if they were. The fact is (like Dairy Queen) we will likely remain in the dark for days or months after we are breached.

BLUF (Bottom Line Up Front):

As security professionals and business leaders, we need to stop lying to ourselves, our boards of directors, investors, and shareholders. External attackers are targeting our organizations; our defense is not based upon offense. In other words, our tactics, techniques, and procedures aren't informed by the methods used by attackers to compromise our systems. And last but not least we have to live and operate under the assumption that we are currently compromised. To do otherwise is tantamount to burying your head in the sand and divesting from reality.